# c7n-org > Cloud Custodian - Parallel Execution - **URL**: https://www.freshcrate.ai/projects/c7n-org - **Author**: Cloud Custodian Project - **Category**: Developer Tools - **Latest version**: `0.9.51.0` (2026-05-28) - **License**: Unknown - **Source**: https://github.com/cloud-custodian/cloud-custodian - **Homepage**: https://pypi.org/project/c7n-org/ - **Language**: Python - **GitHub**: 5,967 stars, 1,611 forks - **Registry**: pypi (`c7n-org`) - **Tags**: `pypi` ## Description # c7n-org: Multi Account Custodian Execution % [comment]: # ( !!! IMPORTANT !!! ) % [comment]: # (This file is moved during document generation.) % [comment]: # (Only edit the original document at ./tools/c7n_org/README.md) c7n-org is a tool to run Custodian against multiple AWS accounts, Azure subscriptions, GCP projects, or OCI tenancies in parallel. ## Installation ```shell pip install c7n-org ``` c7n-org has 3 run modes: ```shell Usage: c7n-org [OPTIONS] COMMAND [ARGS]... custodian organization multi-account runner. Options: --help Show this message and exit. Commands: aws-accounts generate c7n-org aws accounts config file report report on an AWS cross account policy execution run run a custodian policy across accounts (AWS, Azure, GCP, OCI) run-script run a script across AWS accounts ``` In order to run c7n-org against multiple accounts, a config file must first be created containing pertinent information about the accounts: Example AWS Config File: ```yaml accounts: - account_id: '123123123123' name: account-1 regions: - us-east-1 - us-west-2 role: arn:aws:iam::123123123123:role/CloudCustodian vars: charge_code: xyz tags: - type:prod - division:some division - partition:us - scope:pci ... ``` Example Azure Config File: ```yaml subscriptions: - name: Subscription-1 subscription_id: a1b2c3d4-e5f6-g7h8i9... - name: Subscription-2 subscription_id: 1z2y3x4w-5v6u-7t8s9r... ``` Example GCP Config File: ```yaml projects: - name: app-dev project_id: app-203501 tags: - label:env:dev - name: app-prod project_id: app-1291 tags: - label:env:dev ``` Example OCI Config File: ```yaml tenancies: - name: dev-tenancy profile: DEVTENANCY regions: - us-ashburn-1 - us-phoenix-1 vars: environment: dev tags: - type:test ... ``` ### Config File Generation We also distribute subcommands and scripts to generate the necessary config file in the [`scripts` folder](https://github.com/cloud-custodian/cloud-custodian/tree/main/tools/c7n_org/scripts). **Note:** Besides AWS, these are distributed only via git. Per , we'll be looking to incorporate them into a new c7n-org subcommand. - For **AWS**, the subcommand `aws-accounts` generates a config file from the AWS Organizations API. ```shell c7n-org aws-accounts -f accounts.yml ``` - For **Azure**, the script `azuresubs.py` generates a config file from the Azure Resource Management API. - Please see the [Additional Azure Instructions](#additional-azure-instructions) for initial setup and other important info. ```shell python azuresubs.py -f subscriptions.yml ``` - For **GCP**, the script `gcpprojects.py` generates a config file from the GCP Resource Management API. ```shell python gcpprojects.py -f projects.yml ``` - For **OCI**, the script `ocitenancies.py` generates a config file using OCI Configuration file and OCI Organizations API. - Please refer to the [Additional OCI Instructions](#additional-oci-instructions) for additional information. ```shell python ocitenancies.py -f tenancies.yml ``` ## Running a Policy with c7n-org To run a policy, the following arguments must be passed in: ```shell -c | accounts|projects|subscriptions|tenancies config file -s | output directory -u | policy ``` For example: ```shell c7n-org run -c accounts.yml -s output -u test.yml --dryrun ``` After running the above command, the following folder structure will be created: ``` output |_ account-1 |_ us-east-1 |_ policy-name |_ resources.json |_ custodian-run.log |_ us-west-2 |_ policy-name |_ resources.json |_ custodian-run.log |- account-2 ... ``` Use `c7n-org report` to generate a csv report from the output directory. ## Selecting accounts, regions, policies for execution You can filter the accounts to be run against by either passing the account name or id via the `-a` flag, which can be specified multiple times, or alternatively with comma separated values. Groups of accounts can also be selected for execution by specifying the `-t` tag filter. Account tags are specified in the config file. Given the above accounts config file, you can specify all prod accounts with `-t type:prod`. You can specify the `-t` flag multiple times or use a comma separated list. You can specify which policies to use for execution by either specifying `-p` or selecting groups of policies via their tags with `-l`. Both options support being specified multiple times or using comma separated values. By default in AWS, c7n-org will execute in parallel across regions. The `-r` flag can be specified multiple times and defaults to `(us-east-1, us-west-2)`. A special value of `all` will execute across all regions. See `c7n-org run --help` for more information. # ## Recent releases | Version | Date | Urgency | Changes | | --- | --- | --- | --- | | `0.9.51.0` | 2026-05-28 | High | ## What's Changed ### AWS * aws - wafv2 support for using API attributes especially redacted fields by @PratMis in https://github.com/cloud-custodian/cloud-custodian/pull/10653 * Feat/guardrails by @charliedelta85 in https://github.com/cloud-custodian/cloud-custodian/pull/10605 * aws/config-compliance: match resources by config_id when available by @raajheshkannaa in https://github.com/cloud-custodian/cloud-custodian/pull/10637 * sanitize Lambda VpcConfig for SecurityHub findings by @Ol | | `0.6.49` | 2026-04-21 | Low | Imported from PyPI (0.6.49) | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | | `0.9.50.0` | 2026-03-18 | Low | ## What's Changed ### multiple providers * core - Add ability to normalize tag keys in filters by @adamsgoldsmith in https://github.com/cloud-custodian/cloud-custodian/pull/10380 * aws/azure/gcp - metric(s) filter - add start-of-day option by @iamanmolm in https://github.com/cloud-custodian/cloud-custodian/pull/10573 ### aws * aws - cross-account joint condition of org id and wildcard by @jerryhxu in https://github.com/cloud-custodian/cloud-custodian/pull/10499 * aws - implement th | ## Dependency audit - **Score**: 76/100 - **Total deps**: 8 - **Resolved**: 4 - **Unresolved**: 4 - **License conflicts**: 0 - **Warnings**: 7 - **Scanned**: 2026-05-25 ## Citation - HTML: https://www.freshcrate.ai/projects/c7n-org - Markdown: https://www.freshcrate.ai/projects/c7n-org.md - Dependencies JSON: https://www.freshcrate.ai/api/projects/c7n-org/deps _Generated by freshcrate.ai. Indexes pypi releases for AI-agent ecosystem packages._